\documentclass[12pt,a4paper,titlepage,twoside]{article}
\usepackage[a4paper,top=3cm,inner=2.5cm,outer=4cm,twoside]{geometry}
\usepackage{newcent}
\usepackage{fancyhdr}
\usepackage[margin=2em]{caption}
\usepackage[utf8]{inputenc}
\usepackage[x11names]{xcolor}
\usepackage{graphicx}
\usepackage{hyperref}
\usepackage{sectsty}
\allsectionsfont{\sectionrule{3ex}{3pt}{-1ex}{1pt}}
\pagestyle{fancy}
\lhead{\includegraphics[height=1em]{hexena.eps}}
\chead{}
\rhead{\textcolor{SpringGreen2}{Hexena Malware Report}}
\cfoot{\thepage}

\newcommand{\hexval}[1]{\texttt{\$#1}}

%       -- 8< --        -- 8< --        -- 8< --        -- 8< --

\newcommand{\hexenaFilesize}{-1}
\newcommand{\hexenaEntropy}{0.100 \times 10^{-8}}
\newcommand{\hexenaREntropy}{0.200 \times 10^{-8}}
\newcommand{\hexenaEntropyQuotient}{0.300 \times 10^{-8}}
\newcommand{\hexenaMZHeaderNorm}{0.000 \times 10^{-8}}

%       -- 8< --        -- 8< --        -- 8< --        -- 8< --

\begin{document}

\section{General Information}
\label{sec:general_information}

\input{annotation.tex}

Table~\ref{tab:general_information} summarises some general
information about the malware file.

\begin{table}[hbtp]
  \centering
  \begin{tabular}{lr}
    %\hline
    File size & \hexenaFilesize \\
%-- hexena: hash/md5
%-- hexena: hash/sha1
%-- hexena: hash/sha256
    %\hline
  \end{tabular}
  \caption{General file information}
  \label{tab:general_information}
\end{table}

This report was generated with Hexena version
%-- hexena: version

\section{Entropy Analysis}
\label{sec:entropy_analysis}

\begin{equation}
  \label{eq:entropy}
  H = \hexenaEntropy
\end{equation}

\begin{equation}
  \label{eq:rle_entropy}
  \tilde H = \hexenaREntropy
\end{equation}

\begin{equation}
  \label{eq:entropy_fraction}
  \frac{H}{\tilde H} = \hexenaEntropyQuotient
\end{equation}

Equation~(\ref{eq:entropy}) is the entropy found in the file,
(\ref{eq:rle_entropy}) describes the reduced
entropy\footnote{Consecutive occurrences of the same byte are counted
  as one byte only.} and in equation~(\ref{eq:entropy_fraction}) the
quotient of the two can be found. The latter gives a hint to the
compression used in this file.

The corresponding histogram is given in
figure~\ref{fig:1gram_histogram}, the top of the graph displays the
frequencies of the bytes found in the file (from \hexval{00} to \hexval{FF}),
whereas the bottom shows the reduced histogram used for the
calculation of $\tilde H$.

\begin{figure}[bthp]
  \centering
  \includegraphics[width=\textwidth]{1-gram_histogram.eps3}
  \caption{1-gram histogram. Light gray marks punctuation characters, medium gray numbers and dark gray ASCII codes \$40 to \$7f.}
  \label{fig:1gram_histogram}
\end{figure}

%-- hexena: blockentropy

\section{MZ Header Information}
\label{sec:mz_header_information}

Equation~(\ref{eq:norm_mzheader}) gives the distance to a ``normal''
MZ header.

\begin{equation}
  \label{eq:norm_mzheader}
  |mz| = \hexenaMZHeaderNorm
\end{equation}

The following is a hexdump of the MZ header:
\begin{center}
  \input{mzheader.dump.tex}
\end{center}
The position of the PE header is given by the last four bytes.
%-- hexena: mz/lfanew

\section{PE Header Information}
\label{sec:pe_header_information}

The fields of the PE header can be found in
table~\ref{tab:pe_header_fields}. The optional header fields are found
in table~\ref{tab:pe_optional_header_fields}.
%-- hexena: pe/number_of_sections

\begin{table}
  \centering
  \begin{tabular}{lrr}
    \input{peheader.table.tex}
  \end{tabular}
  \caption{PE Header fields}
  \label{tab:pe_header_fields}
\end{table}

\begin{table}
  \centering
  \begin{tabular}{lrr}
    \input{peoptionalheader.table.tex}
  \end{tabular}
  \caption{PE Optional Header fields}
  \label{tab:pe_optional_header_fields}
\end{table}

\section{Automated Classification}
\label{sec:automated_classification}

This sections contains automated classification results. Currently
only a SVM (Support Vector Machine) with a single model is
implemented.

\subsection{SVM classification}
\label{sec:svm_classification}

The ``vostro7'' model applied to this file classifies this file as a
%-- hexena: classification/svm/vostro7
file.

\end{document}
